diff --git a/Cargo.lock b/Cargo.lock index 998e135..dacdd85 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -279,7 +279,7 @@ checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d" [[package]] name = "cm-dashboard" -version = "0.1.245" +version = "0.1.247" dependencies = [ "anyhow", "chrono", @@ -301,7 +301,7 @@ dependencies = [ [[package]] name = "cm-dashboard-agent" -version = "0.1.245" +version = "0.1.247" dependencies = [ "anyhow", "async-trait", @@ -325,7 +325,7 @@ dependencies = [ [[package]] name = "cm-dashboard-shared" -version = "0.1.245" +version = "0.1.247" dependencies = [ "chrono", "serde", diff --git a/agent/Cargo.toml b/agent/Cargo.toml index 3b8468c..19759f7 100644 --- a/agent/Cargo.toml +++ b/agent/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cm-dashboard-agent" -version = "0.1.246" +version = "0.1.247" edition = "2021" [dependencies] diff --git a/agent/src/collectors/systemd.rs b/agent/src/collectors/systemd.rs index 4580874..d23c62a 100644 --- a/agent/src/collectors/systemd.rs +++ b/agent/src/collectors/systemd.rs @@ -180,6 +180,30 @@ impl SystemdCollector { } } + if service_name == "nftables" && status_info.active_state == "active" { + let (tcp_ports, udp_ports) = self.get_nftables_open_ports(); + + if !tcp_ports.is_empty() { + let metrics = Vec::new(); + sub_services.push(SubServiceData { + name: format!("TCP: {}", tcp_ports), + service_status: Status::Info, + metrics, + service_type: "firewall_port".to_string(), + }); + } + + if !udp_ports.is_empty() { + let metrics = Vec::new(); + sub_services.push(SubServiceData { + name: format!("UDP: {}", udp_ports), + service_status: Status::Info, + metrics, + service_type: "firewall_port".to_string(), + }); + } + } + // Create complete service data let service_data = ServiceData { name: service_name.clone(), @@ -887,6 +911,124 @@ impl SystemdCollector { None } + /// Get nftables open ports grouped by protocol + /// Returns: (tcp_ports_string, udp_ports_string) + fn get_nftables_open_ports(&self) -> (String, String) { + let output = Command::new("timeout") + .args(&["3", "nft", "list", "ruleset"]) + .output(); + + let output = match output { + Ok(out) if out.status.success() => out, + _ => return (String::new(), String::new()), + }; + + let output_str = match String::from_utf8(output.stdout) { + Ok(s) => s, + Err(_) => return (String::new(), String::new()), + }; + + let mut tcp_ports = std::collections::HashSet::new(); + let mut udp_ports = std::collections::HashSet::new(); + + // Parse nftables output for WAN incoming accept rules with dport + // Looking for patterns like: tcp dport 22 accept or tcp dport { 22, 80, 443 } accept + // Only include rules in input chain without private network source restrictions + let mut in_input_chain = false; + + for line in output_str.lines() { + let line = line.trim(); + + // Track if we're in the input chain + if line.contains("chain input") || line.contains("chain INPUT") { + in_input_chain = true; + continue; + } + + // Reset when entering other chains + if line.starts_with("chain ") && !line.contains("input") && !line.contains("INPUT") { + in_input_chain = false; + continue; + } + + // Only process rules in input chain + if !in_input_chain { + continue; + } + + // Skip if not an accept rule + if !line.contains("accept") { + continue; + } + + // Skip internal network traffic (LAN/private networks) + if line.contains("ip saddr 192.168.") || + line.contains("ip saddr 10.") || + line.contains("ip saddr 172.16.") || + line.contains("iifname \"lo\"") { + continue; + } + + // Parse TCP ports + if line.contains("tcp dport") { + for port in self.extract_ports_from_nft_rule(line) { + tcp_ports.insert(port); + } + } + + // Parse UDP ports + if line.contains("udp dport") { + for port in self.extract_ports_from_nft_rule(line) { + udp_ports.insert(port); + } + } + } + + // Sort and format + let mut tcp_vec: Vec = tcp_ports.into_iter().collect(); + let mut udp_vec: Vec = udp_ports.into_iter().collect(); + tcp_vec.sort(); + udp_vec.sort(); + + let tcp_str = tcp_vec.iter().map(|p| p.to_string()).collect::>().join(", "); + let udp_str = udp_vec.iter().map(|p| p.to_string()).collect::>().join(", "); + + (tcp_str, udp_str) + } + + /// Extract port numbers from nftables rule line + /// Returns vector of ports (handles both single ports and sets) + fn extract_ports_from_nft_rule(&self, line: &str) -> Vec { + let mut ports = Vec::new(); + + // Pattern: "tcp dport 22 accept" or "tcp dport { 22, 80, 443 } accept" + if let Some(dport_pos) = line.find("dport") { + let after_dport = &line[dport_pos + 5..].trim(); + + // Handle port sets like { 22, 80, 443 } + if after_dport.starts_with('{') { + if let Some(end_brace) = after_dport.find('}') { + let ports_str = &after_dport[1..end_brace]; + // Parse each port in the set + for port_str in ports_str.split(',') { + if let Ok(port) = port_str.trim().parse::() { + ports.push(port); + } + } + } + } else { + // Single port + if let Some(port_str) = after_dport.split_whitespace().next() { + if let Ok(port) = port_str.parse::() { + ports.push(port); + } + } + } + } + + ports + } + /// Get aggregate qBittorrent torrent statistics /// Returns: (active_count, download_mbps, upload_mbps) fn get_qbittorrent_stats(&self) -> Option<(u32, f32, f32)> { diff --git a/dashboard/Cargo.toml b/dashboard/Cargo.toml index b82bf6a..4234559 100644 --- a/dashboard/Cargo.toml +++ b/dashboard/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cm-dashboard" -version = "0.1.246" +version = "0.1.247" edition = "2021" [dependencies] diff --git a/shared/Cargo.toml b/shared/Cargo.toml index ec17813..8a602eb 100644 --- a/shared/Cargo.toml +++ b/shared/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cm-dashboard-shared" -version = "0.1.246" +version = "0.1.247" edition = "2021" [dependencies]